Translation:

ProtonMail, by its own account a “secure e-mail service from Switzerland”, delivers user data to security authorities. User data also goes to law enforcement agencies in the US, a recent case shows.

The proceedings concern threats against, among others, the well-known immunologist Anthony Fauci. In a series of e-mails, the sender threatened, among other things, with killing Fauci and his family.

As the American Justice Department writes, the accused used “an email account from a provider of secure, encrypted email services based in Switzerland”.

According to the relevant affidavit, this email service was ProtonMail. The relevant e-mails end with “Sent with ProtonMail Secure Email”.

Based on data from ProtonMail, which went to the USA for legal assistance, it became apparent that the accused had used several ProtonMail user accounts at the same time.

According to his own statements, the accused had switched to ProtonMail because he believed he was protected by Swiss data protection law and end-to-end encryption. Nevertheless, the sender could be identified in the interaction of data from ProtonMail and other online services such as Mail.com.

Good cooperation between ProtonMail and security authorities According to an article in the Tages-Anzeiger, the Federal Office of Police (Fedpol) confirmed the exchange with the American authorities. At the same time, Fedpol said it was pleased about the collaboration with ProtonMail:

«Protonmail is cooperating with the authorities. The cooperation is good. "

ProtonMail has to cooperate with Swiss security authorities. With the Surveillance Act BÜPF and the Intelligence Service Act (NDG), Switzerland is a fully-fledged surveillance state. Switzerland provides mutual legal assistance to the USA on the basis of the Legal Assistance Treaty of 1973, for example for gathering evidence in American criminal proceedings.

ProtonMail founder Andy Yen originally stated that the company would rather leave Switzerland than comply with the BÜPF. ProtonMail stayed in Switzerland and has to comply with Swiss surveillance law.

Screenshot: Advertising promise on the ProtonMail homepage

ProtonMail as a godsend for Swiss security authorities For security authorities in Switzerland, ProtonMail is a godsend, because many users wrongly believe that their data is actually protected by the “strict Swiss data protection laws” with ProtonMail. They do not know that the applicable data protection act (DSG) in Switzerland does not guarantee effective data protection and that criminal proceedings and surveillance measures are not covered by the DSG at all (Art. 2 Para. 2 lit. c DSG).

Such users also believe in the promises of “automatic e-mail security” and “anonymous e-mail”. You overlook the fact that ProtonMail already mentions on the homepage that it does not always, but only «by default», do without the logging of IP addresses. ProtonMail also advises in its data protection declaration to scan the content of incoming and outgoing e-mails.

Even users with criminal intentions trust in the protection of privacy that ProtonMail promises. They overlook the fact that data is generated even with ProtonMail. Such data serve security authorities in Switzerland and abroad as a valuable basis for investigations.

ProtonMail’s transparency report does not (yet?) Contain any information about the case. The transparency report is said to have been updated on June 23, 2021, but ends with the case descriptions in June 2020. According to the number of cases, ProtonMail delivered data to security authorities in Switzerland and abroad in over 3,000 cases in 2020.

Well that just sucks.

The sender is an idiot. Not only for the attack, but for assuming sending email is anonymous.

People need to understand the difference between E2EE, privacy, and anonymity. People need to understand what is encrypted, what isn’t, and what anonymous means.

That article is from 2021, but still good information.